From 11fdfe7299c5f640003d80c0928b64c5752f8e57 Mon Sep 17 00:00:00 2001
From: zhengxie <xiez1989@gmail.com>
Date: Mon, 19 Dec 2016 16:12:47 +0800
Subject: [PATCH] [invitation] Check duplicated accepter and add blocklist for
 accepter

---
 seahub/api2/endpoints/invitations.py    | 16 +++++++--
 seahub/invitations/utils.py             | 18 +++++++++++
 seahub/settings.py                      |  1 +
 tests/api/endpoints/test_invitations.py | 43 +++++++++++++++++++++++++
 tests/seahub/invitations/test_utils.py  | 14 ++++++++
 5 files changed, 90 insertions(+), 2 deletions(-)
 create mode 100644 seahub/invitations/utils.py
 create mode 100644 tests/seahub/invitations/test_utils.py

diff --git a/seahub/api2/endpoints/invitations.py b/seahub/api2/endpoints/invitations.py
index f06e13abb4..91d7cb0c77 100644
--- a/seahub/api2/endpoints/invitations.py
+++ b/seahub/api2/endpoints/invitations.py
@@ -1,4 +1,5 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
+
 from django.utils.translation import ugettext as _
 from rest_framework import status
 from rest_framework.authentication import SessionAuthentication
@@ -11,11 +12,13 @@ from seahub.api2.permissions import CanInviteGuest
 from seahub.api2.throttling import UserRateThrottle
 from seahub.api2.utils import api_error
 from seahub.base.accounts import User
-from seahub.invitations.models import Invitation
 from seahub.utils import is_valid_email
+from seahub.invitations.models import Invitation
+from seahub.invitations.utils import block_accepter
 
 json_content_type = 'application/json; charset=utf-8'
 
+
 class InvitationsView(APIView):
     authentication_classes = (TokenAuthentication, SessionAuthentication)
     permission_classes = (IsAuthenticated, CanInviteGuest)
@@ -32,7 +35,7 @@ class InvitationsView(APIView):
         return Response(invitations)
 
     def post(self, request, format=None):
-        # Send a invitation.
+        # Send invitation.
         itype = request.data.get('type', '').lower()
         if not itype or itype != 'guest':
             return api_error(status.HTTP_400_BAD_REQUEST, 'type invalid.')
@@ -45,6 +48,15 @@ class InvitationsView(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST,
                              _('Email %s invalid.') % accepter)
 
+        if block_accepter(accepter):
+            return api_error(status.HTTP_400_BAD_REQUEST,
+                             _('The email address is not allowed to be invited as a guest.'))
+
+        if Invitation.objects.filter(inviter=request.user.username,
+                                     accepter=accepter).count() > 0:
+            return api_error(status.HTTP_400_BAD_REQUEST,
+                             _('%s is already invited.') % accepter)
+
         try:
             User.objects.get(accepter)
             user_exists = True
diff --git a/seahub/invitations/utils.py b/seahub/invitations/utils.py
new file mode 100644
index 0000000000..26bd678ec5
--- /dev/null
+++ b/seahub/invitations/utils.py
@@ -0,0 +1,18 @@
+# Copyright (c) 2012-2016 Seafile Ltd.
+import re
+
+from django.conf import settings
+
+def block_accepter(accepter):
+    for pattern in settings.INVITATION_ACCEPTER_BLACKLIST:
+        if pattern.startswith('*'):
+            if accepter.endswith(pattern[1:]):
+                return True
+        elif accepter == pattern:
+            return True
+        else:
+            compiled_pattern = re.compile(pattern)
+            if compiled_pattern.search(accepter) is not None:
+                return True
+
+    return False
diff --git a/seahub/settings.py b/seahub/settings.py
index 2469bc0fe5..d42ec79699 100644
--- a/seahub/settings.py
+++ b/seahub/settings.py
@@ -522,6 +522,7 @@ ENABLE_FOLDER_PERM = False
 # Guest Invite     #
 ####################
 ENABLE_GUEST_INVITATION = False
+INVITATION_ACCEPTER_BLACKLIST = []
 
 #####################
 # Sudo Mode #
diff --git a/tests/api/endpoints/test_invitations.py b/tests/api/endpoints/test_invitations.py
index 417d5b96af..1675c261c0 100644
--- a/tests/api/endpoints/test_invitations.py
+++ b/tests/api/endpoints/test_invitations.py
@@ -1,6 +1,7 @@
 import json
 from mock import patch
 
+from django.test import override_settings
 from post_office.models import Email
 
 from seahub.base.accounts import UserPermissions
@@ -35,6 +36,48 @@ class InvitationsTest(BaseTestCase):
 
         assert len(Invitation.objects.all()) == 1
 
+    @patch.object(CanInviteGuest, 'has_permission')
+    @patch.object(UserPermissions, 'can_invite_guest')
+    def test_can_not_add_same_email(self, mock_can_invite_guest, mock_has_permission):
+
+        mock_can_invite_guest.return_val = True
+        mock_has_permission.return_val = True
+
+        assert len(Invitation.objects.all()) == 0
+        resp = self.client.post(self.endpoint, {
+            'type': 'guest',
+            'accepter': 'some_random_user@1.com',
+        })
+        self.assertEqual(201, resp.status_code)
+
+        json_resp = json.loads(resp.content)
+        assert json_resp['inviter'] == self.username
+        assert json_resp['accepter'] == 'some_random_user@1.com'
+        assert json_resp['expire_time'] is not None
+
+        resp = self.client.post(self.endpoint, {
+            'type': 'guest',
+            'accepter': 'some_random_user@1.com',
+        })
+        self.assertEqual(400, resp.status_code)
+        assert len(Invitation.objects.all()) == 1
+
+    @override_settings(INVITATION_ACCEPTER_BLACKLIST=["a@a.com", "*@a-a-a.com", r".*@(foo|bar).com"])
+    @patch.object(CanInviteGuest, 'has_permission')
+    @patch.object(UserPermissions, 'can_invite_guest')
+    def test_can_not_add_blocked_email(self, mock_can_invite_guest, mock_has_permission):
+
+        mock_can_invite_guest.return_val = True
+        mock_has_permission.return_val = True
+
+        assert len(Invitation.objects.all()) == 0
+        resp = self.client.post(self.endpoint, {
+            'type': 'guest',
+            'accepter': 'some_random_user@a-a-a.com',
+        })
+        self.assertEqual(400, resp.status_code)
+        assert len(Invitation.objects.all()) == 0
+
     @patch.object(CanInviteGuest, 'has_permission')
     @patch.object(UserPermissions, 'can_invite_guest')
     def test_can_send_mail(self, mock_can_invite_guest, mock_has_permission):
diff --git a/tests/seahub/invitations/test_utils.py b/tests/seahub/invitations/test_utils.py
new file mode 100644
index 0000000000..fe696fd99c
--- /dev/null
+++ b/tests/seahub/invitations/test_utils.py
@@ -0,0 +1,14 @@
+from django.test import override_settings
+
+from seahub.invitations.utils import block_accepter
+from seahub.test_utils import BaseTestCase
+
+
+class BlockAccepterTest(BaseTestCase):
+    @override_settings(INVITATION_ACCEPTER_BLACKLIST=["a@a.com", "*@a-a-a.com", r".*@(foo|bar).com"])
+    def test_email_in_blacklist(self):
+        assert block_accepter('a@a.com') is True
+        assert block_accepter('a@a-a-a.com') is True
+        assert block_accepter('a@foo.com') is True
+        assert block_accepter('a@bar.com') is True
+        assert block_accepter('a@foobar.com') is False